See:

http://www.theregister.co.uk/2005/11/10/password_hashes/

Some enterprising people have decided to make money out of providing people with the ability to obtain passwords from hashes.

The malicious user still needs to be able to obtain the password hash, meaning they either need to sniff it or have physical access to the box so your other controls will hopefully protect you but......

What are the possible uses of this system except for providing people with the ability to crack passwords for a malicious reason. I can't think of a reason why this service could be used for a legitimate purpose.

Let me know if I am missing something though??

Well... I have occasionally had to break into machines for legitimate purposes.


Users occasionally forget their passwords, and if there is only one account on the machine...

Shrekkie's (now known as Raiden) website had one up for a while, though just for MD5 hashes. It's down right now due to a lack of disk space and RAM, but it was up not too long ago, and worked magically...

If Shrekkie can do it, anyone can :p

D0pp -
Yeah I thought about that too but if you are going to use this service you still need the password hash - Which you will need to log onto the box to obtain (unless you have a backup of your password hash somewhere - which I doubt would be likely).

Nice but.... finger prints and usb keys become be used more now.... I do not know how that kind of info is stored in computer.... but I think that is limitation for that service...
It is not always now that is if you can crack then you can use....
You can crack but cannot use.....

Yes it is legal way to that but just on computer that is yours or you have rights to do that.
"Rights" is key.. but still each contry has own rulls. So some of users need to check up it if it is legal there.

All you actually need is some method of booting the machine without using the hard drive. A live cd will work, as will a boot floppy with the capability to read the SAM database. You can also just take the hard drive out and place it in another computer to read it.

If you have physical access to the machine, you can get anything you want off the hard drive. It's really that simple.

True - Ok I didn't think of live CD if you have forgotten the password of the 1 account on the system then this service could be useful.

But you have to pay a yearly subscription fee, is anyone actually going to pay such a fee just in case they forget their password?

I just think that (if people sign up for this service) the overwhelming use of this service will be for cracking others passwords that have been obtained either illegally or without the other individuals consent.

I would hope that most corporates or Govts have an appropriate level of additional controls to make this a non issue, just thinking about home users and the potential risks for them.
Mind you for most of the uneducated home users I know, there are plenty of easier ways that they will be exploited!!

If you are home user that cannot much about computer and you have password on you windows account, so it is easy to reset it with windows build in tool....

1) push "ctrl+alt+del" two time in login screen, so it will change to-> User and Password box.
2) Write in User name "Administrator" in can be different deppends on what language that OS is, (in that case translate Administrator into your language)
3) No password need, just push Enter
4) In console you can use "start control userpasswords2" or in run menu "control userpasswords2"
5) then chose account where you want to reset password, you will se "Reset Password" butten there.

Easy...... ;) , windows helps do it for free....

Resetting passwords via a linux boot disk works too well. I see no problems with that but I do think that normal users wont need this site really. I think of it as any other tool out there like a gun for example, guns dont kill people. People kill people. This site might be like any other offencive tool that could be used for wrong doing. Its kinda in the grey area.

This site requires a yearly fee?? Sorry but most malicious users are not going to pay for this service... mainly because there are a number of other ways and free software out there that will do it for you... Might take longer, but it's free... There's also ways to make password cracking clusters to make the process faster... there's a tutorial on AO about that somewhere...

It seems they have made a yearly fee because A: they want to make money and B: it will help keep malicious people away...

If everyone is using good password policies (and enforcing them), then this really wouldnt be an issue.

1)...No dictionary words!
2)...No password shorter then 14 characters

If everyone is using good password policies (and enforcing them), then this really wouldnt be an issue.

In the real world..that just doesnt happen..............I have yet to find a basic end user with a 14 character password...I have been able to get better passwords...using pass phrases instead.

Rights and permissions are the other layer I use.... very limited access...to network data and services, machines etc.....no one has access to anything other then what is required for thier job function.

I also block certain files in the email client...

Also...a computer usage policy....where surfing is monitored. in and out

Security auditng on the server...and privledged workstations.

These steps have greatly improved the security of the network...more so then just a good password policy.

Security has to be layered....they may be able to jump one barrier...just to face another.

Passwords do not matter if I have physical access to the machine....if it is a network machine... data is stored on the server not on the client...

MLF

Ture most passwords are painfully simple. I like the email layout <something>@<something>.<something> makes them think of 3 diffrent things, uses @ and . It only works if they dont make it an acutall email address. like ech0@wickd00d0rz.w00t note this isnt my real password............................i dont think. :)

"In the real world..that just doesnt happen..............I have yet to find a basic end user with a 14 character password...I have been able to get better passwords...using pass phrases instead."


Very true...However if were talking M$, there's password policy plugins that you can develop that will force users to follow password policies. Simple Point: you HAVE TO FORCE USERS TO COMPLY WITH YOUR PASSWORD POLICY. A little hacking could make it work linux as well.

Personally I do something like Ech0 was talking about:

Ture most passwords are painfully simple. I like the email layout <something>@<something>.<something> makes them think of 3 diffrent things, uses @ and . It only works if they dont make it an acutall email address. like ech0@wickd00d0rz.w00t note this isnt my real password............................i dont think.

Use phrases (Because there easy to remember) but seperate the words with different alphanumberic characters...Example: BoW$TO$ThE$CoW

BoW$TO$ThE$CoW

Why not just use spaces?

This has been discussed before....where you make the user password so difficult......and change so often...that they write them down or resort to the method below

Quote is from a response to the article originally posted here

http://www.antionline.com/showthread.php?s=&postid=871096#post871096

What this article does not mention is password policies that unintentionally encourage week passwords. A company that I once worked for forced user to change their passwords every 30 days with password ecpiring warnings within 15 days of expiry. Also, passwords could only be changed once in a 24 hour period and one could not reuse a password that had been used in the last 5 changes.The result was that most users created very simple passwords that included a number representing the month of the year combined with a minumum number of other characters that satified the other character requirements for passwords (upper and lower case letters). This was common so the users could remember their frequently changing password.

I believe the end result was a computer network that was far less secure as a result of the policy.

Of course the policy was never changed because it was create for the sake of having a policy, whether it made the system more secure was less important.

All I am saying....is passwords should not be your only security

Mmmmooooooooooo ;)

MLF